Skip to content

Jump-box shell for Docker - secure remote ssh into containers with ACL

Notifications You must be signed in to change notification settings

muayyad-alsadi/docker-jumpshell

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Jump shell for Docker

Used as user shell to allow developers jump into their containers using ssh

Features

  • simple and effective ACL, just run the container with -l owner=myuser or -l group=mygroup
  • access to all containers if you are member of jumpshell-all group (beside jumpshell group)
  • opens all owned containers in tmux windows
  • interactive picker ssh -t myuser@remote picker
  • scriptable non-interactive mode ssh myuser@remote mycontainer cat /etc/hosts | wc -l
  • tail container logs ssh myuser@remote docker_logs mycontainer | grep ERROR
  • and with log picker ssh -t myuser@remote docker_logs

Container Picker

Container Logs

Security

  • developers are NOT granted access to host
  • developers are NOT granted access to docker socket
  • developers can NOT execute random docker commands
  • only listing owned containers and exec inside owned containers is allowed
  • only containers having special labels are allowed
  • sudo is only to a simple helper script that do the above checks

FAQ

  • Can I use it with mosh?
    • yes, it just work
  • Can I use it to create tunnels to a container port?
    • yes ssh -L 8080:<CONTAINER_IP>:8080 -t myuser@remote picker (don't forget -t)
  • How can I receive a file from the container?
    • simply cat it, like this ssh myuser@remote mycontainer cat /path/to/myfile > ./myfile
  • How can I send a file to the container?
    • simply cat it, like this ssh myuser@remote mycontainer bash -c "cat > /path/to/myfile" < ./myfile
  • How can I receive a directory from the container?
    • simply tar it, like this ssh myuser@remote mycontainer tar -czf - /path/to/mydir | tar -xzf - -C .
  • How can I send a directory to the container?
    • simply tar it, like this tar -czf - . | ssh myuser@remote mycontainer tar -xzf - -C /path/to/mydir
  • Is it possible to scp?
    • no, use tar trick above
  • Is it possible to rsync over ssh?
    • no, use tar trick above
  • How to remove access from a user? I can't remove docker label!
    • remove the public key from authorized_keys
    • or remove the UNIX user from jumpshell group
  • Can I define custom shell?
    • yes, pass -l shell=/full/path/to/shell
    • no need to define it for bash and sh
  • I have running countainers without labels how I access them?
    • add your user to jumpshell-all group.

Requirements

  • docker with label support
  • tmux
  • whiptail

Setup

Just place them in a place like /usr/local/bin/

cd /usr/local/bin/
curl -sSLO https://raw.githubusercontent.com/muayyad-alsadi/docker-jumpshell/v1.5/docker-jumpshell-helper.sh
curl -sSLO https://raw.githubusercontent.com/muayyad-alsadi/docker-jumpshell/v1.5/docker-jumpshell.sh
chmod +x docker-jumpshell*.sh

create a group to be allowed to jump into their owned docker containers

groupadd jumpshell

add the following to /etc/sudoers.d/docker-jumpshell

Defaults    !requiretty
%jumpshell	ALL=(ALL)	NOPASSWD: /usr/local/bin/docker-jumpshell-helper.sh

add the user, make his shell be the script, run a container of your choice named after the user

useradd myuser
usermod -a -G jumpshell myuser
chsh -s /usr/local/bin/docker-jumpshell.sh myuser
docker run -d -t --restart=always --name=my-fedora -l owner=myuser fedora/systemd-systemd
docker run -d -t --restart=always --name=my-ubuntu -l owner=myuser ubuntu-upstart:trusty

add public keys to /home/myuser/.ssh/authorized_keys and make sure they have right permissions

sudo -u myuser /bin/bash -l
mkdir -p /home/myuser/.ssh/
vim /home/myuser/.ssh/authorized_keys
chmod 700 /home/myuser/.ssh/authorized_keys
chmod 644 /home/myuser/.ssh/authorized_keys

now you can execute commands in the container or have interactive shells on it

ssh -t myuser@remotebox picker
ssh -t myuser@remotebox my-fedora
ssh myuser@remotebox my-fedora cat /etc/hosts
ssh myuser@remotebox

in tmux use

  • CTRL+B n to move to next window,
  • CTRL+B c to create a new window
  • CTRL+B d to detach

How it works

members of group jumpshell are allowed to sudo the helper script.

the helper script is a simple secure script that

  • sudo itself if not root
  • accept only two commands ls and exec
  • ls would list all containers having label owner=<USER> or group=<GROUP>
  • exec is followed by container id
  • exec validates that the given container have the suitable label (authorize)
  • exec <ID> would run interactive bash inside the given container
  • exec <ID> <COMMAND> would run bash -c "COMMAND" inside the given container
  • logs <ID> tail and follow logs of given container

the shell of the desired user is set to docker-jumpshell.sh which has more complex logic but it's safe because the user can't sudo it the shell is executed when users access it remotely via ssh

Group Access

If a container is to be accessed by more than one user, create a UNIX group for that by typing groupadd jumpshell-mygroup then add users to that group, then run your docker containers with label group=mygroup

NOTE: we have added jumpshell- prefix to UNIX group name that is omitted from docker label. The reason behind this is to allow you so that UNIX admin is not jumpshell-admin